As October is Cybersecurity Awareness Month, it's an especially appropriate time to provide an overview of the evolving cybersecurity obligations, guidance, and risks following recent regulatory developments and cyberattacks that regulators are seeking to address.

We offer four critical takeaways for every business in managing their cybersecurity program.

Regulatory developments

In the past few months, a series of cybersecurity events, developments, and proposals have emerged from federal and state regulators in (i) the nation's capital [Washington, D.C.], (ii) the nation's financial capital [New York], and (iii) arguably, the nation's data protection capital [California].

Federal regulatory developments

At the federal level, the U.S. Securities and Exchange Commission (SEC) and the Federal Acquisition Regulatory (FAR) Council have been actively pursuing rulemaking to roll out new cybersecurity rules.

The SEC:

  • The SEC adopted new rules (SEC Rules) to enhance and standardize disclosures with respect to cybersecurity risk management, strategy, governance, and incidents by public reporting (For more details, please see our prior alert on the new SEC Rules.)
  • Gurbir Grewal, the Director of the SEC's Division of Enforcement, laid out five principles of the Enforcement Division in connection with cybersecurity and disclosure In short, they are:
    1. Focusing on customers, shareholders and companies as the real victims of cyberattacks;
    2. Ensuring cyber policies and procedures are practical and actually implemented;
    3. Regular review/updates to cyber policies and procedures to address evolving threats;
    4. Reporting cyber incidents to senior management to ensure proper disclosures; and
    5. Transparency with your customers is a core value that should not be overshadowed, even if the SEC Rules do not technically require disclosure.

You can read the SEC's full remarks here.

  • The SEC issued "Wells Notices" to certain current and former executive officers of SolarWinds, including its CFO and CISO, arising out of a major 2020 cyberattack against the software monitoring A "Wells Notice" is a letter (i) notifying the recipient of the substance of potential civil charges that the SEC may bring against the recipient and (ii) providing the recipient with the opportunity to submit a response.

The FAR Council:

  • The FAR Council released two new proposed cybersecurity rules that, if implemented, would impose substantial additional obligations on government contractors, including with respect to (i) incident reporting and (ii) cybersecurity standards. (See FAR Case No. 2021-0017 and FAR Case No. 2021-0019.) These rules apply to federal government contractors and federal information systems and are intended to implement aspects of President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity (EO 14028). The public comment period is open until December 4, 2023.

State regulatory developments

State regulators in New York and California continue to lead on cybersecurity initiatives.

New York Department of Financial Services (NYDFS)

  • NYDFS published an updated "Revised Proposed SecondAmendment" (Updated Amendment) to its Cybersecurity Requirements for Financial Services Companies (Cybersecurity Requirements). Timing for finalization of the updated Part 500 rules remains unclear.

California Privacy Protection Agency (CPPA)

  • The CPPA released its initial draft regulations under the California Privacy Rights Act (CPRA) with respect to cybersecurity audits. Timing for finalization of the cybersecurity rule remains unclear.

While all of the measures prescribed by these federal and state regulators may not apply to all companies, the recent spate of attention highlights the importance of cybersecurity to both federal and state regulators. As companies directly impacted by these regulatory developments start to reshape their cybersecurity compliance programs to comply, we expect a new industry baseline in cybersecurity to emerge.

Cyberattacks

Meanwhile, concurrent with such regulatory developments, the necessity for a robust cybersecurity and cyber resilience program has been further underscored by seemingly endless announcements of high-profile cyberattacks across industries and sectors, including:

  • Distributed-denial-of-service (DDoS) against major cloud infrastructure providers, including attacks against Amazon Web Services, Cloudflare, and Google The DDOS attack against Google was reported to have been at 398 million requests per second, "'the largest ever' – approximately 'seven and a half times larger than the previous record-breaking DDoS attack'"; and
  • Ransomware attacks against targets in a wide variety of industries, including:
    • Consumer Product Goods companies [EstéeLauder and Clorox]
    • Casino companies [MGMResorts and CaesarsEntertainment]
    • Healthcare companies [ProspectMedicalHoldings]
    • Nonprofits

Estée Lauder, MGM Resorts, and Caesars Entertainment have already had class action lawsuits filed against them arising out of such cyberattacks, and plaintiffs'-side class action firms appear to be investigating potential claims against Clorox and Prospect Medical Holdings.

By way of example, Clorox and MGM are reported to have already experienced massive damages due to those ransomware attacks:

Clorox

MGM Resorts
  • Net sales for Q3 2023 are expected to decrease by 28% to 23% from a year ago;
  • Organic sales for Q3 2023 are expected to decrease by 26% to 21%, compared to the company's prior expectations of mid-single digits growth;
  • Gross margin for Q3 2023 is expected to be down from the year-ago quarter, compared to the company's prior expectations for gross margin to increase;
  • Adjusted earnings per share is expected to be a loss of $0.40 to $0.00, "as the impact from the cybersecurity attack more than offset the benefits of pricing cost savings and supply chain optimization"; and
  • The cyberattack "caused widespread disruption of Clorox's operations, including order processing delays and significant product outages."

SeeOct.4,2023Form-8-K filedwiththeSEC.
  • The company's computer systems were reported to have been disrupted for 10 days [all in September] as a result of the cyberattack; and
  • The company estimates a negative impact from the cyber security issue of approximately US$100m to Adjusted Property EBITDAR.











    SeeOct.5,2023Form-8-K filedwiththeSEC.


These incidents are contrasted against other ransomware attacks that have seemingly spanned all sectors in a single attack. For example, in the recent MOVEit breach, the file transfer platform was hacked, impacting over 2,500 organizations, including governments, banks, and private and public companies. The plaintiffs' bar has been adding lawsuits against not only the vendor impacted, but also against a host of other companies who arguably relied on the file transfer software and whose customer data was compromised in the breach.

Key takeaways

Against this backdrop of recent cyberattacks and regulatory developments, we underscore the following takeaways that build on SEC Director Grewal's principles:

Takeaway #1

Cybersecurity programs must be "real", not "check-the-box."

SEC guidance

SEC Director Grewal remarked that "firms need to have real policies that work in the real world, and then they need to actually implement them; having generic 'check-the-box' cybersecurity policies simply doesn't cut it."

Director Grewal referenced a pair of 2022 SEC actions arising from alleged instances of companies' "just paying lip service" to their legal and regulatory requirements, including those under Regulation S-ID, the SEC's "Identity Theft Red Flags Rule."

As an example of such "lip service", Director Grewal indicated that one such company's required written identity theft prevent program "simply restated Regulation S-ID's requirement" – it included the obligations, but not "how" to comply in practice.

The referenced actions resulted in settlements of US$1.2m and US$925,000, respectively.

CPPA implementing regulations

Similarly, the CPPA's draft regulations would require that:

  • The cybersecurity audit shall assess and document with specificity each of a lengthy enumerated list of cybersecurity safeguards, including the following:
    • MMulti-factor authentication (MFA).
    • Strong unique passwords or passphrases.
    • Encryption, at rest and in transit.
    • Zero trust architecture.
    • Account management and access controls.
    • Inventory of personal information and the business's information system.
    • Secure hardware and software configurations.
    • Internal and external vulnerability scans and penetration testing.
    • Audit log management.
    • Network monitoring and defenses.
    • Antivirus and antimalware protections.
    • Cybersecurity awareness, education, and training, including for each employee.
    • Retention schedules and proper disposal of personal information.
    • Security incident management, including incident response management.
    • Business continuity and disaster recovery plans, including data recovery capabilities and backups.
  • If a business does not implement any of those safeguards (as not applicable), the audit shall document and explain (i) why such safeguard is not necessary and (ii) how the safeguards that the business does have in place provide at least equivalent security.

NYDFS cybersecurity requirements

  • The NYDFS's Cybersecurity Requirements, if and as amended by the Updated Amendment, would require "covered entities" to implement many of the same safeguards as those required by the CPPA's draft regulations.

The draft regulations issued by CPPA and NYDFS each emphasize the critical nature of implementation in establishing a company's cybersecurity program, making it that much harder for companies to have 'check-the-box' compliance.

Employee cyber education and training

One example of "real" vs. "check-the-box" cybersecurity measures is with respect to employee education and training.

While we do not have visibility into the cybersecurity education and training that may have been provided by MGM Resorts to its employees, we note that, according to a malware research collective, the cyberattack on MGM Resorts resulted from a series of basic "social-engineering" steps – identification of an MGM Resorts employee on LinkedIn, followed by a 10-minute phone call to the MGM Resorts IT help desk – that enabled the ransomware group to obtain access to MGM Resorts' systems.

Notably, the NYDFS's Updated Amendment – published more than two months before the cyberattack on MGM Resorts and more than seven weeks before the cyberattack on Caesars Entertainment (which also originated via social engineering) – would add that required cybersecurity awareness training must include training with respect to "social engineering" risks.

While the NYDFS regulations regulate financial services companies in New York State, they are often looked to in setting cybersecurity standards in the industry.

"Real" cybersecurity education and training should be tailored not only to the applicable business and the risks that it faces, but also on a department-by-department basis to address each department's particular responsibilities and risks (e.g., HR versus Tax versus IT).

Takeaway #2

Companies must regularly review and update their cybersecurity programs to keep up with constantly evolving threats.

The typical standard with respect to such "regular" review and update is "at least annual."

For example, the NYDFS's Updated Amendment would apply the "at least annual" standard to, among other things:

  • Review, assessment, and updating of all written cybersecurity procedures, guidelines, and standards by the covered entity's chief information security officer;
  • Approval of cybersecurity policy(ies) by the covered entity's "senior governing body";
  • Review of the covered entity's user access privileges;
  • Cybersecurity awareness training to all of the covered entity's personnel;
  • Testing of the covered entity's incident response plan and business continuity and disaster recovery plan; and
  • Penetration testing

However, annually may not be enough. Companies will need to exercise judgment about when a significant or material change has impacted their business and altered their risk profile. They will need to respond in kind by conducting updated cybersecurity risk assessments and updating relevant policies and procedures.

  • The NYDFS's Updated Amendment would add, with respect to a covered entity's obligation to conduct a periodic risk assessment, that such "risk assessment shall be reviewed and updated at least annually andwheneverachangein thebusinessortechnology causesamaterialchangeto thecoveredentity'scyberrisk"; and
  • Director Grewal commented that "What worked 12 months ago probably isn't going to work today, or at a minimum may be less effective", certainly seeming to suggest that such reviews and updates should occur more frequently than annually.

Regular reviews, assessments and updates are crucial to preventing and mitigating cyberattacks. In this environment, change is constant, and it is essential to monitor developments (for example, the trend of cybercriminals targeting casino companies, likely due to such companies' substantial financial resources and high costs of downtime).

As another example, according to the class action complaint against SolarWinds (which resulted in a US$26m settlement with investors) arising out of the major 2020 data breach, "solarwinds123 – the compromised, publicly available password – was commonly used at the Company, and other passwords were 'hard-coded' and never changed for years." Presumably, such an easily guessed or hacked password would have been uncovered by a cybersecurity review or audit, had one been conducted.

As noted above, the CPPA's draft regulations include a requirement for "strong unique passwords or passphrases" in the enumerated list of cybersecurity safeguards. In addition, the NYDFS's Updated Amendment would require (i) a written password policy that meets industry standards, if passwords are employed as a method of authentication, and (ii) a newly created category of "Class A companies" to implement an automated method of blocking commonly used passwords.

Takeaway #3

Appropriate information must be reported, both internally and externally.

Reporting internally

Examples of internal reporting obligations and principles in connection with the recent regulatory developments include:

  • The CPPA's draft cybersecurity audit regulations, which would require that the audit's findings be reported to the business's board of directors; and
  • Director Grewal's comment that "It's crucial not only for a company to have developed and implemented appropriate policies and procedures in connection with a cyber incident, but also for the company's personnel to understand and follow such policies and "

Director Grewal provided as an example a nearly half-million-dollar 2021 SEC settlement involving a company whose employees identified a cybersecurity vulnerability, but did not remediate it in accordance with the company's policies or report it to senior executives responsible for the company's disclosures.

Reporting externally

Each of the regulatory developments includes obligations on external reporting and disclosures about cybersecurity incidents:

SEC guidance

SEC Rules require companies to (i) determine whether a cybersecurity incident is material "without unreasonable delay after discovery of the incident" and (ii) file an Item 1.05 current report on Form 8-K [or amend a prior 1.05 current report] within four business days of determining an incident was material.

Director Grewal warned that a company that violates its disclosure obligations "will most likely face stiffer penalties once the breach gets out, as it invariably will." In connection with such warning, Director Grewal cautioned companies not to seek to avoid disclosure obligations through "hyper-technical readings of the rules or by minimizing the cyber incident." For support, Director Grewal provided two examples:

  • A US$1m 2021 SEC settlement in connection with a company referring in a public report to a "data privacy incident as a hypothetical risk, even though it had already occurred"; and
  • A US$3m settlement in March 2023 arising out of alleged misleading disclosures in a company's quarterly report.

In particular, the SEC Rules require companies to provide cybersecurity disclosures about risk management, strategy, and governance in annual reports on Form 10-K, including:

  • Their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats;
  • Whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;
  • The board's oversight of risks from cybersecurity threats; and
  • Management's role in assessing and managing material risks from cybersecurity threats.

NYDFS guidance

NYDFS's Updated Amendment would require covered entities to quickly report cyber events, as well as ransomware payments. These obligations include:

  • Expanding a covered entity's obligation to notify the superintendent of the NYDFS "as promptly as possible" (but not more than 72 hours after a determination that a cybersecurity event has occurred), as follows:
    • To expressly include events at the covered entity, its affiliates, or a third-party service provider; and
    • To augment the set of covered cybersecurity events; and
  • Requiring each covered entity, in the event of a ransomware payment in connection with a cybersecurity event, to provide the NYDFS superintendent with:
    • Notice of such payment within 24 hours of payment; and
    • A written description of (i) the reasons payment was necessary, (ii) the alternatives considered, and (iii) diligence performed, within 30 days of payment.

Additionally, the NYDFS's Updated Amendment (and the CPPA's draft regulations) would require covered businesses to submit to the applicable agency:

  • A written certification, signed by an appropriate signatory(ies), that the business complied with the applicable cybersecurity requirements during the applicable 12-month period; or
  • A written acknowledgement of noncompliance (which must include (i) the specific elements of noncompliance and (ii) a remediation timeline or confirmation that remediation has been completed).

Takeaway #4

Individuals whose personal data is compromised are NOT the only victims

As the first principle of the SEC Enforcement Division, Director Grewal indicated that "When there are cyberattacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents."

Similarly, class action lawsuits arising out of cybersecurity incidents have been filed not just on behalf of affected "consumers" whose personal data was compromised (e.g., in connection with the Estée Lauder, MGM Resorts, and Caesars Entertainment cyberattacks), but also on behalf of investors in the company targeted by the cyberattack (e.g., in connection with the SolarWinds cyberattack).

As noted earlier, the SolarWinds securities class action claim resulted in a US$26m settlement with shareholders.

The potential claims that plaintiffs'-side class action firms appear to be investigating against Clorox are on behalf of investors in the company, and would likely argue that such investors purchased securities on the basis of misleading information issued by the company.

Conclusion

Cognizant of rapidly developing technology and rapidly increasing risks, federal and state regulators are paying close attention to cybersecurity, as are plaintiffs'-side class action attorneys. In this regulatory environment, and in this risk environment, companies must ensure that their cybersecurity programs (including policies, procedures, and safeguards) are appropriately designed, implemented, reviewed, maintained, and updated.

Linklaters has substantial experience helping clients with their cyber preparedness and data governance programs. If you'd like assistance with your cybersecurity and resiliency efforts, please reach out to schedule a call at your earliest convenience.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.